Enabling login timeout for a cookie-based session

When the login timeout feature is enabled, a logged on cookie-based session that is inactive for an extended period, such as a web or mobile storefront session, is logged off the system and requested to log back on. If the user then logs on successfully, WebSphere Commerce runs the original request that was made by the user. If the user logon fails, the original request is discarded and the user remains logged off the system.

Note:
  • For WebSphere Commerce tools (for example, Administration Console or WebSphere Commerce Accelerator), login timeout does not present a login page to the user. Instead, it closes the browser window and it is up to the user to log back on to the tool. Thus, in the case of tools, the original request that the user submits is not processed.
  • When a user session times out and the user chooses to be remembered, the session turns into a partial authenticated session instead of a generic user session. When this happens, the redirect URL goes to the original URL instead of the logon page (ReLogonFormView). If the original URL does not allow partial credential authentication, the user is redirected to the logon page (RememberMeLogonFormView).
  • The login timeout feature applies only to requests that are not cached.
  • If the original request is secured (SSL) and does not contain a krypto parameter, the original request will contain the krypto parameter that is generated by the logon command after logging on again.

Procedure

  1. Define the LoginTimeoutErrorView and ReLogonFormView views for the store as described in Views for login timeout.
  2. Open the Configuration Manager.
  3. Traverse to the Login Timeout node for your instance as follows: WebSphere Commerce > node_name > Instance List > instance_name > Instance Properties > Login Timeout.
  4. To activate the login timeout feature, click the Enable check box.
  5. In the Value field, enter the login timeout value, in seconds.
    The login timeout value is stored in the WebSphere Commerce configuration file in milliseconds, while the value in the Configuration Manager is entered in seconds.
  6. Click Apply.
  7. Upon successfully updating the configuration for your instance, a message that indicates a successful update is displayed.
  8. If you want to use a different timeout for tools (the Accelerator, Admin Console and OrgAdminConsole) as compared to the Store, add the following TimeoutWebAdmin subelement to the wc-server.xml configuration file. The value is in milliseconds:
    <LoginTimeout enabled="true"> 
<Timeout display="false" value="180000"/> <!-- This is the old value, used for the store. -->
<TimeoutWebAdmin display="false" value="90000"/> 
</LoginTimeout>
  9. Restart your WebSphere Commerce instance.